Nightfall Documentation
  • Data Detection and Response
  • Posture Management
  • Data Exfiltration Prevention
  • Data Encryption
  • Firewall for AI
  • Data Classification and Discovery
  • Welcome to Nightfall Documentation
  • Release Notes
    • Release Notes 2025
    • Release Notes 2021-2024
  • Introduction
    • Why Cloud DLP?
    • Introduction to Nightfall
    • Nightfall Overview
    • Cloud-native DLP vs. CASB
    • How Nightfall Works
    • Reasons to Choose Nightfall
    • Benefits of Nightfall
  • Compliance
    • How Nightfall Fits into Compliance Frameworks
    • ISO 27001 Compliance + DLP
    • SOC 2 Compliance + DLP
    • PCI Compliance + DLP
    • PHI Detector - More on Nightfall's HIPAA Compliance Detector
  • Getting Started
    • Installing Nightfall
  • Nightfall Detection Platform
    • Overview
    • Detectors
    • Choosing a Nightfall Detector
      • Compliance Use Cases
      • Data Protection Use Cases
    • Nightfall Detector Glossary
      • Secrets Detection
    • Creating Custom Detectors
      • Creating Dictionary Detector
      • Create File Type Detector
      • Create File Fingerprint Detector
      • Create Regular Expression Detector
      • Extend a Nightfall Detector
    • Create Detection Rules
    • Detection Platform Overview
    • Evaluating Detection
    • Creating Policies
      • Selecting Integration
      • Scope of the Policy
      • Detection Rules
      • Advanced Settings
      • Name and Risk Score
    • Historical Scan Detection Rules
    • Regex Library
    • Detection Platform FAQs
      • How can I reduce false positives in my findings?
      • What do different “Confidence Levels” mean?
      • What file types will Nightfall scan for sensitive data? What are the limitations?
      • How do I use Context Rules?
      • How do I use Exclusion Rules?
      • Does Nightfall have a regex library I can choose from?
      • Why does Nightfall sometimes miss to report SSN, credit card number, and so on?
      • Why does the Password Detector Report False Positive Zoom Password Findings?
  • Nightfall Detection & Policy Templates
    • Detection Rules
    • Nightfall Sample Data Sets
  • Dashboard and Events
    • Nightfall Dashboard
    • Sensitive Data Protection Events
      • Filtering Events
      • Event Filter Operators
      • Applying Actions on Events
      • Applying Bulk Actions on Events
      • Event Status
      • Deduplication and Automatic Resolution of Events
  • Setting up Alert Platforms
    • Nightfall Alert Platforms
    • Setting up Slack as an Alert Platform
    • Setting up Jira as an Alert Platform
    • Setting up MS Teams as an Alert Platform
  • Operationalizing Nightfall DLP
    • Playbook
    • Informing & Coaching Business Users
    • Alert Management Guiding Principles
    • Integrating with Security Tools
      • Integrating with SIEM
        • Integrating with Microsoft Sentinel
      • Creating Dashboards for Nightfall Alerts in Splunk
      • Creating Dashboards for Nightfall Alerts in Sumo Logic
      • Sending Alerts to Microsoft Teams
    • Frequently Asked Questions (FAQs) for End-Users
  • Nightfall Integrations
  • Nightfall for Slack
    • Nightfall for Slack: Quick Start
    • Getting Started With Nightfall for Slack
      • Requirements
        • Requirements for Nightfall DLP for Slack Enterprise
        • Requirements for Nightfall DLP for Slack Pro and Slack Business+
      • Installing Nightfall for Slack
        • Installing Nightfall DLP for Slack Enterprise
        • Installing Nightfall DLP for Slack Pro and Business+
    • Configure Alerts for Slack
    • Configuring Policies for Slack Pro and the Slack Business+ Editions
      • Slack Pro and Business+ App Selection
      • Configure Scope for Slack Pro and Slack Business+
      • Configure Detection Rules for Slack Pro and Slack Business+
      • Configure Automated Actions in Slack Pro and Slack Business+
      • Configure Advanced Settings in Slack Pro and Slack Business+
      • Risk Configuration in Slack DLP for Slack Pro and Slack Business+ Editions
      • Manage Events for Slack
    • Configuring Policies for the Slack Enterprise Edition
      • Slack App Selection
      • Configure Scope for Slack Enterprise
      • Select Detection Rules for Slack Enterprise
      • Configure Automated Actions in Slack Enterprise
      • Configure Advanced Settings for Slack Enterprise
      • Risk Configuration for Slack Enterprise
      • Manage Events for Slack Enterprise
    • FAQs
      • Can I redact sensitive message content in Slack?
      • Nightfall for Slack Pro vs Enterprise
        • Upgrading from Slack Pro to Enterprise
      • Can we customize the alert messages sent in Slack?
      • Can I Disable Detection in Private Channels or DMs?
      • What types of channels does Nightfall scan? Does Nightfall scan shared channels?
      • I am unable to view a sensitive message or file from the Nightfall alert channel.
      • Upon Slack installation, why am I seeing a 400 error mentioning a "Restricted Action"?
      • I send a sensitive message, edit it, and then admin applies the Redact action. What is the outcome?
      • How do I re-install Nightfall DLP for Slack Pro Edition?
      • How do I re-install Nightfall DLP for Slack Enterprise Edition?
  • Nightfall for GitHub
    • Getting Started
      • Requirements
      • Install Nightfall for GitHub
      • Configure Alerts for GitHub
    • Configure Policies for GitHub
      • GitHub App Selection
      • Configure Scope for GitHub
        • Use Regular Expressions to Exclude GitHub Directories
      • Configure Detection Rules for GitHub
      • Configure Advanced Settings for GitHub
      • Configure Risk Score for GitHub
    • Manage GitHub Events
    • Remediation on Nightfall for Github
  • NIGHTFALL FOR GOOGLE DRIVE
    • Getting Started
      • Requirements
      • Install Nightfall for Google Drive
      • Enable Google Drive Labels
      • Configure Alerts for Google Drive
    • Configure Policies for Google Drive
      • Google Drive App Selection
      • Configure Scope for Google Drive
      • Configure Detection Rules for Google Drive
      • Configure Advanced Settings for Google Drive
      • Risk Score for Google Drive
      • Manage Google Drive Events
  • Nightfall for Confluence
    • Getting Started
    • Install Nightfall for Confluence
      • Configure Alerts for Confluence
    • Configuring Policies for Confluence
      • Confluence App Selection
      • Configure Scope for Confluence
      • Configure Detection Rules for Confluence
      • Configure Advanced Settings for Confluence
      • Configure Risk Score for Confluence
      • Manage Confluence Events
    • FAQs
      • Page Restrictions
  • Nightfall for jira
    • Getting Started
    • Install Nightfall for Jira
      • Configuring Alerts for Jira
    • Configure Policies in Nightfall for Jira
      • Jira App Selection
      • Configure Scope in Nightfall for JIRA
      • Select Detection Rules in Nightfall for JIRA
      • Configuring Advanced Settings in Nightfall for JIRA
      • Configure Risk Score for Jira
      • Manage Jira Events
  • Nightfall for Microsoft 365
    • Getting Started
      • Microsoft 365 Requirements
      • Setting up Directory Sync
      • Setting up Microsoft Tenant
        • Update App Selection for a Registered Tenant
    • Nightfall for OneDrive
      • Configure Alerts for OneDrive
      • Nightfall Policies for OneDrive
        • OneDrive App Selection
        • Configure Scope for OneDrive
        • Configure Detection Rules for OneDrive
        • Configure Advanced Settings for OneDrive
        • Risk Score for OneDrive Policies
        • Manage OneDrive Events
    • Nightfall for Microsoft Teams
      • Configure Alerts for Microsoft Teams
      • Configure Policies for Microsoft Teams
        • Select Integration in Microsoft Teams
        • Configure Scope for Microsoft teams
          • Scope for Personal Chats
          • Scope for MS Teams Channels
        • Configure Detection Rules in Microsoft Teams DLP
        • Configure Advanced Settings in Microsoft Teams
        • Risk Score in Microsoft Teams Policies
        • Manage Microsoft Teams Events
  • Nightfall for Gmail
    • Overview
    • Install Nightfall DLP for Gmail
      • Configure Content Compliance Rules
        • Create Content Compliance Rule - Monitoring
        • Configure Content Compliance Rule - Quarantine
        • Configure Routing Rules - SMTP Relay Settings
    • Configure Alerts for Gmail
    • Nightfall Policies for Gmail
      • Gmail App Selection
      • Configure Scope for Gmail
      • Configure Detection Rules for Gmail
      • Configure Advanced Settings for Gmail
      • Configure Risk Score for Gmail
      • Manage Gmail Events
    • Remediation on Nightfall for Gmail
  • Nightfall For Salesforce
    • Overview
    • Getting Started
      • Install Nightfall DLP for Salesforce
      • Upgrade Nightfall DLP for Salesforce
      • Configure Alerts for Salesforce
    • Nightfall Policies for Salesforce
      • Salesforce App Selection
      • Configure Scope for Salesforce
      • Configure Detection Rules for Salesforce
      • Configure Advanced Settings for Salesforce
      • Risk Score for Salesforce
      • Manage Salesforce Events
    • FAQs
  • Nightfall for Zendesk
    • Getting Started
      • Requirements
      • Install Nightfall DLP for Zendesk
      • Configure Alerts for Zendesk
    • Configure Policies for Zendesk
      • Zendesk App Selection
      • Configure Scope for Zendesk
      • Configure Detection Rules for Zendesk DLP
      • Configure Advanced Settings in Zendesk
      • Risk Score for Zendesk
      • Manage Zendesk Events
  • Nightfall for Notion
    • Getting Started
      • Requirements
      • Steps
    • Install Nightfall for Notion
      • Verification of Notion Installation
    • Configure Alerts for Notion
    • Configure Policies for Notion
      • Notion App Selection
      • Configure Detection Rules for Notion
      • Configure Advanced Settings for Notion
      • Risk Score for Notion
      • Manage Notion Events
  • NIGHTFALL FOR Generative AI Applications
    • Overview
    • Install Nightfall for GenAI apps
      • Install Nightfall DLP on Individual Devices
      • Install Nightfall DLP Across Organization
    • Configure Alerts for GenAI apps
    • Creating GenAI Policies from Nightfall Console
      • AI Apps Selection
      • Configure Detection Rules for AI Apps
      • Configure Advanced Settings for AI Apps
      • Risk Score for AI Apps
    • Nightfall Browser Plugin Deployment Guide
    • GenAI Safe Usage and Data Protection Policy
  • Developer Section
    • Nightfall Firewall for AI
    • Nightfall Playground
  • Settings
    • Users and Roles
      • Authentication Options
    • Role Based Access Control (RBAC)
      • Security Analyst Role
      • Policy Manager Role
      • Security Events Manager Role
      • Security Operations Manager Role
      • System Administrator Role
    • Directory Sync
      • Add Microsoft Entra ID to Nightfall
      • Google Workspace Directory Service
      • Add Okta to Nightfall
    • Custom Branding
    • Customer Referral Program
  • Frequently Asked Questions (FAQs)
    • How long does it take to deploy Nightfall?
    • How do I deploy Nightfall?
    • What are some unique points about Nightfall that I should know?
    • Which languages does Nightfall support?
    • How does Nightfall yield time savings for my team?
    • Nightfall vs Legacy DLP: What's the difference?
    • How does Nightfall make my organization more secure?
    • Nightfall vs CASB: What's the difference?
    • Nightfall vs E-Discovery: What's the difference?
    • How does Nightfall classify data?
    • What types of data does Nightfall classify?
    • Does Nightfall scan unstructured data?
    • Does Nightfall require data to be already tagged?
    • How do I learn more about and test out Nightfall?
    • Using Service Accounts with Nightfall
    • Which permissions are required for each integration?
    • Where can I find active user counts for each SaaS application protected by Nightfall?
    • In the Atlassian Marketplace, why does it show that the Nightfall app is not approved in security?
    • How can I estimate the data volume that Nightfall needs to scan?
    • How can I check the Platform Status of Nightfall
  • Login to Nightfall
  • Contact Nightfall
Powered by GitBook
On this page
  • Understanding Context Rules and Exclusion Rules
  • Context Rules
  • Exclusion Rules
  • Create Regex Detector

Was this helpful?

Export as PDF
  1. Nightfall Detection Platform
  2. Creating Custom Detectors

Create Regular Expression Detector

Learn how to create a Regular Expression detector in Nightfall.

PreviousCreate File Fingerprint DetectorNextExtend a Nightfall Detector

Last updated 6 months ago

Was this helpful?

A regular expression detector allows you to define a regular expression pattern. Once you define a pattern, Nightfall scans your data to check if there is anything that matches the given pattern. If a match is found, it is flagged as sensitive data. You can also refer to to generate regular expressions.

Understanding Context Rules and Exclusion Rules

To use the Regular Expression detector effectively, Nightfall provides you with two special rules; Context Rules and Exclusion Rules. When Nightfall scans your data and finds some sensitive data, these rules are used to further scrutinize the sensitive data to be sure that the data is sensitive. Context rules and Exclusion rules are optional and you can define them only if you wish to have added filtration on sensitive data to be sure that data that is termed as sensitive, is sensitive.

Context rules are a set of hot and cold words that help Nightfall to effectively identify sensitive data.

Exclusion rules define specific scenarios in which data flagged by a detector should be excluded from the list of findings.

You can find these rules in the Regular Expression detector. You must click + Rule to create a Context rule or Exclusion rule.

Context Rules

Context rules help Nightfall identify sensitive data by providing data about the text surrounding sensitive data. You can define a regular expression pattern to match the data that usually surrounds sensitive data. You can then instruct Nightfall as to where this surrounding data can be generally found. It can be found before sensitive data, after sensitive data, or both before and after sensitive data. You can also define confidence level settings when a match is found.

For example, credit card data is sensitive data. If a user shares it accidentally online, then they generally draft the following phrases before disclosing the credit card number. 

my credit card details are

my credit card number is

Please find below my credit card details

My credit card number is as follows

After disclosing the credit card information, users generally draft the following messages.

Please find my credit card details above

I have shared my credit card details

Shared my credit card details. Please do the needful

As requested, shared my credit card details. Let me know if you need any further 
details

You can also choose to make your regular expression case-sensitive by selecting the Case sensitive check box.

The terms "Finding" and "Sensitive data" are synonyms to each other.

Windows Setting: Once you create the regular expression to define the possible phrases that can surround the sensitive data, you can use the Windows setting to instruct Nightfall as to where exactly this surrounding text can exist around the sensitive data (before, after). Nightfall provides you the following Windows settings.

  • Before the finding: You can use this setting to define the number of characters before the prospective sensitive data at which surrounding text can be found. For example, if you define this setting as 20 characters before the finding, and if Nightfall detects the prospective sensitive data on line 4 column 60, it looks at the data on line 4 and from column 40 to check if it matches the defined regular expression for Context rules.

  • After the finding: You can use this setting to define the number of characters after the prospective sensitive data at which surrounding text can be found. For example, if you define this setting as 20 characters after the finding, and if Nightfall detects the prospective sensitive data on line 4 column 60, it looks at the data on line 4 and from column 60 to check it that matches the defined regular expression for Context rules.

  • Before or after the finding: You can use this setting to define the number of characters before or after the prospective sensitive data at which surrounding text can be found. For example, if you define this setting as 20 characters before or after the finding, and if Nightfall detects the prospective sensitive data on line 4 column 60, it looks at the data on line 4 and from column 60 and also on data at line 4 from column 40 to check it any of the two match the defined regular expression for Context rules.

Confidence Change: If Nightfall finds any data to be sensitive and if this prospective sensitive data matches the Context rules as well, you can then define Confidence change settings to instruct Nightfall on what to label this prospective sensitive data. Nightfall provides you with four Confidence change settings

  • Exclude: If you set the Confidence Change setting to Exclude, Nightfall does not consider the prospective Finding to be actually sensitive (even though it matched both; sensitive data's regular expression and also the Context rules' regular expression and Windows setting) and excludes it from Findings. You can use this setting to eliminate false positive findings. For example, consider that one of your prospective customer is testing your API and you need to share an API key for this testing. You share a dummy API key and do not wish this API key to be flagged as sensitive data. You can ask your employees to draft a specific phrase before sharing the API key (something like, the dummy API key is ). You can then define a context rule for this phrase, set the Windows setting to define where exactly it can be found, and then set Exclude as the Confidence change setting, to exclude this dummy API key from being flagged as sensitive data.

  • Possible: If you set the Confidence Change setting to Possible, Nightfall classifies the prospective finding as an actual sensitive data and this finding is logged on the Sensitive Data Protection Events page as a Possible finding (around 20-30% chance of data actually being sensitive in nature). For example, in the above scenario for the Exclude option, if you wish to get notifications even for dummy APIs, to ensure that your employees might have not shared an actual API key instead of a dummy key, you can use the Possible setting. This setting logs the finding on the Violations page as Possible finding. You can check the finding on the Violations page and if its dummy API key, and not a live API key, you can set it to Ignore the finding from the Violations page.

  • Likely: If you set the Confidence Change setting to Likely, Nightfall classifies the prospective finding as an actual sensitive data and this finding is logged on the Sensitive Data Protection Events page as a Likely finding (around 50-60% chance of data actually being sensitive in nature). For example, consider the scenario described above for the Exclude option. If you feel that sometimes your employees may share a dummy API key with prospective customers without using the mandatory phrase (the dummy API key is). In such cases, you they might have used some other phrases. You cannot really be sure if they transmitted dummy API keys or shared live API keys. In such cases, you can set the Confidence to be Likely (50-60% chance of data actually being sensitive). Nightfall logs it as a Finding in the Violations page with Likely confidence level. You can view the Violations page, verify this Finding which is tagged as Likely and take appropriate actions based on whether the data is actually sensitive or not.

  • Very Likely: If you set the Confidence Change setting to Very Likely, Nightfall classifies the prospective finding as an actual sensitive data and this finding is logged on the Sensitive Data Protection Events page as a Very Likely finding (around 80-90% chance of data actually being sensitive in nature). For example, consider the scenario described above for the Exclude option. Apart from the dummy API key there are lots of sensitive data in your organization. If an employee accidentally shares such information, they generally use phrases like our organization's API keys are, our API OAuth key is, the password is... and so on. You can create a regular expression for all such phrases, define the Window settings for them and then set the Confidence level as Very Likely. Nightfall logs such findings on the Violations page as Very Likely findings (80-90% chance of data actually being sensitive). You can navigate to the Violations page and take appropriate actions.

Once you create the regular expression for Context rule, define the Windows setting and the Confidence Change settings, you must click Save to create the context rule.

Once you save the Context rule, you can see that Nightfall creates a sentence which defines the summary of your Context rule. You can choose to edit or delete the rule, if required.

Exclusion Rules

Exclusion rules specify data that is not sensitive in nature (false positive findings). If you feel that Context rules cannot help you to stop false positive findings being logged, you can use Exclusion rules. You can also use Exclusion rules and also Context rules together to eliminate the possibility of getting false positive findings.

Nightfall provides you four methods by which you can define Exclusion rules.

Regex

For example, consider that one of your prospective customer is testing your API and you need to share an API key for this testing. You create a series of dummy API keys (say ABCD1234, ABCD2345, ABCD3124, ABCD5412, and so on). You can create a regular expression to match each of these dummy APIs and select the Full match option. Nightfall does not treat any of these as sensitive data and excludes them.

You can observe that all the API keys start with the term ABCD. In such cases, you can use the Partial match option and just define regular expression for any one of the API keys. This is helpful if you have hundreds of dummy APIs, which have some common data between them. You need not create a regular expression for each of them.

Since all the dummy APIs start with ABCD, if Nightfall detects any of these API keys, it straight away excludes them. In this case, you must ensure that none of the live APIs have the term ABCD in them.

Dictionary

If you are facing a hard time creating regular expressions for content that needs to be excluded, you can use the dictionary option. This option allows you to define phrases that must not be considered as sensitive data. You can use this option to directly define commonly used passwords, dummy API keys, and so on.

The Dictionary exclusion rule has three options.

  • Manual Entry: In this option you can directly enter the password or API key to be excluded and press enter. You can add multiple items (need not have any delimiter). You can choose to match the string partially or fully.

  • Existing Dictionary: In this option, you can choose an existing Dictionary detector as the exclusion token. When you select the Existing Dictionary option, a new drop-down menu is displayed. You can select any of the previously created dictionary detector.

  • Upload Dictionary: With this option, you can upload a new dictionary. The process is same as in case of dictionary detector. You can refer to the Creating Dictionary Detector document for details.

File Type

The File Type exclusion rule allows you to exclude a specific file type. If Nightfall finds that the prospective sensitive data is part of one of the file types defined in this section, it excludes it.

File type provides you two options.

  • New File Type: This option allows you to define new file type(s) that must be excluded.

  • Existing Custom Detector: This option allows you to use a File Type Detector created previously as the exclusion token. When you select this option, a new drop-down menu is displayed which consists of the list of previously created File type detectors. You can select the required detector.

Known Files

This option allows you to upload a file with all the data that you feel is not sensitive. Nightfall checks if any of the prospective findings match the data in this file. If a match is found, the data is not considered to be sensitive and excluded from Findings. You can also upload an existing File Fingerprint detector as the input token.

There are two options in this rule.

  • Upload New File: This option allows you to upload a new file.

  • Existing Custom Detector: This option allows you to use a previously created custom File Fingerprint detector.

Create Regex Detector

You can execute the following steps to create a Regex detector.

  1. Navigate to the Detectors section from the left pane.

  2. Click + Custom Detector and select Regular Expression.

  3. Enter a name for your custom Detector in the Name field.

  4. (Optional) Enter a description for the Detector in the Description field.

  6. (Optional) Select the Case sensitive check box if you wish to match case sensitive pattern.

  7. (Optional) Click + Rule under the CONTEXT RULES section and define regular expression pattern for Context rule.

  8. (Optional) Click + Rule under the EXCLUSION RULES section and define regular expression pattern for Exclusion rule.

  9. Click ADD.

Context rules involve creating regular expressions to define these types of phrases that surround the sensitive data. You can use to generate regular expressions to define data that surrounds sensitive data. You can define the Context rule regular expression in the Pattern to match text box.

You can use Regex method and define a regular expression. If a prospective sensitive data matches the defined regex, it is immediately excluded from being considered as a Finding. Nightfall also allows you to match either the whole regular expression or partial regular expression. You can use to generate regular expressions.

Enter the Regular expression pattern in , in the Regex field.

this link
this link
RE2 Syntax
this link